I origionally wanted to write a post about my thoughts on the twitter leak, but thinking about what could be done with leak data generically, it took me on new paths, the twitter leak is a conduit for this thinking.
I think what is discussed will be novel, not for everyone but still a fun talking point, I've deleted quite a fair amount of this post as I cannot show you the full journey as an attacker and as a result there's not much point in sharing the commandline kung-fu, working on the data,the main driver for not showing you the full attack path is that it will probably fall under Section 1 of the CMA as a more learnered friend suggested, and possibly a little bit more on the nose from another was and I quote "just to be clear, you're going to have a kid soon, and you're looking to use leaked stolen data to hijack the accounts of people on a third party platform in another country" ... well, you're no fun Steve. - this post is wholly in the name of research and stimulating defence, but he's right, there's little value in me taking you on the full journey when theoretically it's sound.
The Adversarial Concern
I wonder if any of these leaked email address domains are expired, and I wonder if I can buy them and inherit the identities associated with them via password resets
What might we get ?
In twitters case, that might just be a twitter account, verified or maybe some single sign on stuff 'sign in with twitter account' etc... could be a little, could be more.
or we might just blast audiances with BUY BITCOIN or Cheap Viagra or slurp slurp Elon slurp ... you get the idea
There's also utility in the data around who owns the accounts but that's not for this post, that's juicy OSINT stuff.
I've chosen to cut down this post so while whoisxmlapi.com has given me a ton of credits and I'm super greatful for the reaction and engagment from Anna and Jonathan, thank you! If you're not familiar with what they do and offer have a look - I'll be leaving out volume and statistics, you'll have to get your own whoisxmlapi account, it's all good, they're all friendly and super helpful. I will say that finding these incidents where domains are available is quite edge, I frame this as low probability variably high impact to the account owner.
I took full advantage of the Domain Availability Checker, tho I thought it best follwing conversations with friends go into the numbers or examples and just assure people that it's a real viable concern, and in this research based circumbstance I'm going to lean closer to what my friend Steve told me at the top of the page.
So from an attackers perspective it's compleatly possible to extract domains, look for domains that are available to buy, buy those domains, create the email address and use that as a means to access accounts associated that havent been closed, disabled or updated, and if that account looked like something relativly active, using inference mentioned in my other post, I cant see why they wouldnt try that email address against other social / online platforms.
Other nefarious utility might be that of Law enforcement, Intelligence and alike, perhaps someone died, is in jail or otherwise engaged, perhaps those countries where the services reside arent very fourthcomming with granting access etc...
What can we do as defenders ? do we want to ? is this too hard ?
Service providers could query domain expiration date of customers domains from the email address via services like whoisxmlapi.com (or roll their own), is that information worth extending to the user prior to domain expiration ? or is it more subtle to ensure they have a second means of identity (such as a phone number) or a back up email address, this is the bit i'm interested in, what's a user friendly way to defend against this
If you're an organisation that has a bit of a janky 'Joiners, Movers, Leavers' process (JML) for 3rd party suppliers that may integrade with systems new and old, is this a nice sweep to do every year ?
While I appreciate this is an acceptable risk for many, I'm curious to hear from those that may care about it more
The skinny for me is: Likelyhood is low, Impact is variable, is that worth it ?